Community
Products
Jira
Questions
Regarding Log4J 1.X files which have reached End of Life

Regarding Log4J 1.X files which have reached End of Life

We are using Jira v7.13.13, and we see number of folders using the log4j-1.X jar files which have already reached end of life since year 2016.

Below are few of the folders with these jar files:

/opt/atlassian/jira/lib/log4j-1.2.16.jar

/opt/devops/atlassian-jira-software-7.13.11-standalone/lib/log4j-1.2.16.jar

/var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle73/version0.0/jira-projects-plugin-4.5.35.jar-embedded/META-INF/lib/log4j-1.2.16.jar

For now, we have mitigated by removing the JMSAppender.class from these jar files. But since this is using EOL product, we are advised to migrate it to log4j-2.X versions. Please advise and provide us the steps for these.

Thanks

Daljinder Singh

Mobile number: +65-87271801

1 answer

1 vote

Hi @mayank ashok ,

I'm not sure if upgrading is warranted. If you like to follow the status of upgrading the version, please follow this ticket.

https://jira.atlassian.com/browse/JRASERVER-62838

IF the concern is vulnerability, then you just need to be on Atlassian maintain fork version. Please see link for details:

https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html

Thanks,

Ben

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Community Announcements have moved! To stay up to date, please join the new Community Announcements group today. Learn more

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Regarding Log4J 1.X files which have reached End of Life

1 answer

Suggest an answer

Was this helpful?

Thanks!

DEPLOYMENT TYPE

TAGS

Community showcase

Atlassian Community Events